Authentication using JWT

[ghostidentity]

Hello guys,

I'm seeking help where i want the client to connect to nats server using JWT, the requirement is that, only the client with valid jwt will be able to publish to the specific topic.

On this setup, the server will still accept the connection even if the token is not valid ?

On server, how to correct generate the user KEY and enforce that only valid token able to call spefiic topc ?

The code i have is not working:

okp, err := nkeys.CreateOperator()
	if err != nil {
		return nil, nil, fmt.Errorf("error creating operator: %w", err)
	}

	opub, err := okp.PublicKey()
	if err != nil {
		return nil, nil, fmt.Errorf("error getting operator public key: %w", err)
	}

	oc := jwt.NewOperatorClaims(opub)
	oc.Name = "operator"
	operatorJWT, err := oc.Encode(okp)
	if err != nil {
		return nil, nil, fmt.Errorf("error encoding operator JWT: %w", err)
	}

	// Create account
	accountKP, err := nkeys.CreateAccount()
	if err != nil {
		return nil, nil, fmt.Errorf("error creating account: %w", err)
	}

	apub, err := accountKP.PublicKey()
	if err != nil {
		return nil, nil, fmt.Errorf("error getting account public key: %w", err)
	}

	ac := jwt.NewAccountClaims(apub)
	ac.Name = "sysrefiners"

	// Sign account JWT with operator key
	accountJWT, err := ac.Encode(okp)
	if err != nil {
		return nil, nil, fmt.Errorf("error encoding account JWT: %w", err)
	}

	// Create server user with full permissions
	serverJWT, serverSeed, err := createUser(accountKP, "ServerClient", true)

	log.Printf("serverJWT JWT: %s\n", serverJWT)
	log.Printf("serverSeed Seed: %s\n", serverSeed)

	if err != nil {
		return nil, nil, fmt.Errorf("error creating server user: %w", err)
	}

	// Create desktop client user with restricted permissions
	desktopJWT, desktopseed, err := createUser(accountKP, "DesktopClient", false)
	if err != nil {
		return nil, nil, fmt.Errorf("error creating desktop user: %w", err)
	}
	log.Printf("Desktop JWT: %s\n", desktopJWT)
	log.Printf("Desktop Seed: %s\n", desktopseed)

	// Create temp directory for server configuration
	tempDir, err := os.MkdirTemp("", "nats-server")
	if err != nil {
		return nil, nil, fmt.Errorf("error creating temp directory: %w", err)
	}

	configFilePath := fmt.Sprintf("%s/nats-server.conf", tempDir)
	configFile, err := os.Create(configFilePath)
	if err != nil {
		return nil, nil, fmt.Errorf("error creating config file: %w", err)
	}
	defer configFile.Close()

	// Enhanced server configuration with strict JWT enforcement
	configContent := fmt.Sprintf(`{
        "port": 4222,
        "operator": "%s",
        "system_account": "%s",
        "resolver": {
            "type": "memory",
            "enable_caching": false
        },
        "max_connections": 1000,
        "max_subscriptions": 500,
        "authorization": {
            "timeout": 2,
            "allow_responses": true
        },
        "jwt": {
            "trusted_operators": ["%s"],
            "strict": true
        },
        "no_auth_user": "",
        "no_sys_acc": true,
        "accounts": {
            "%s": {
                "jwt": "%s",
                "users": [
                    {"jwt": "%s"},
                    {"jwt": "%s"}
                ]
            }
        }
    }`, operatorJWT, apub, opub, apub, accountJWT, serverJWT, desktopJWT)

	if _, err := configFile.Write([]byte(configContent)); err != nil {
		return nil, nil, fmt.Errorf("error writing config file: %w", err)
	}

	// Start the server
	opts := &server.Options{
		ConfigFile:  configFilePath,
		AuthTimeout: 2.0,
		NoAuthUser:  "",
		Trace:       true, // Enable detailed auth logging
		Debug:       true, // Enable debug logging
	}

	srv, err := server.NewServer(opts)
	if err != nil {
		return nil, nil, fmt.Errorf("error creating NATS server: %w", err)

[mtmk]

You need to use the Jwt property

var opts = new NatsOpts
{
    AuthOpts = new NatsAuthOpts
    {
        Jwt = userJwt,
        Seed = userKey,
    },
};

Also consider using CredsFile too since that contains both the JWT and the seed.

[ghostidentity]

You need to use the Jwt property

var opts = new NatsOpts
{
    AuthOpts = new NatsAuthOpts
    {
        Jwt = userJwt,
        Seed = userKey,
    },
};

Also consider using CredsFile too since that contains both the JWT and the seed.

I really tried this approach, but its not working.. When using JWT based authentication where the UserAccess is created from accountseed, there is no need to use " CustomClientAuthentication: &CustomAuth{}," ?. Also, on the configfile, how does the process validate the token ?

[ghostidentity]

Would be good if nats has documentation about cross platform integration between c# and go, using jwt based authentication.

[mtmk]

@ghostidentity it should work. can you create a minimal example repo with what you have? I can try it on my side as well.

[ghostidentity]

sample.zip
@mtmk I attached the sample project, if you run the go file, it still able to connect to the server even if the jwt is invalid, and the topic does not exist.

[mtmk]

thanks i'll have a look

[mtmk]

@ghostidentity I'm not a Go expert or running embedded server expert but there seems to be an issue loading the config for the server (e.g. make the config invalid or change the port for example, server still runs with defaults.) So the only way I got the config read was by adding this right before server new:

        //
        // ADDED THIS LINE
        //
	err = opts.ProcessConfigFile(configFilePath)

	if err != nil {
		log.Fatalf("Error processing config file: %v", err)
	}

	srv, err := server.NewServer(opts)
	if err != nil {
		log.Fatalf("Error starting NATS server: %v", err)
	}

        //
        // ALSO ADDED THIS LINE FOR LOGGING TO STDOUT
        //
	srv.SetLogger(logger.NewStdLogger(true, false, false, false, true), false, false)

	srv.Start()

... which shows an error with the config.

edit: btw you don't have to run the server embedded for this to work just create the config and run the server binary

[ghostidentity]

Thank you, the error was supressed as it was a lacking method call ProcessConfigFile, the assumption is that, when the configFile is appended to the server.options, it will be configured but its not.